Reforming Openreach’s governance: Ofcom’s proposals

In my last post, I summarised Ofcom’s initial conclusions from its review of the UK digital communications market. One of Ofcom’s conclusions was that the functional separation of BT’s Openreach division (which provides last mile access)  from the rest of BT, and the associated regulation of the relationship between BT and Openreach (implemented by binding undertakings) was not sufficiently effective in constraining BT’s ability to  discriminate against its competitors. As a result Ofcom’s initial conclusion is that governance should be reformed to give Openreach increased strategic and operational autonomy, and although Ofcom very carefully avoid reaching a firm view, they seem to favour legal separation as a mechanism for reform, with lukewarm endorsement of (just) enhanced governance. If implementation of whatever is decided / agreed is ineffective to address the concerns identified, then Ofcom say that they will only then look at structural separation.

Separation options considered

Whilst many of BT’s competitors had asked Ofcom to consider structural separation of BT, Ofcom’s initial conclusion is that the issues that were raised could potentially be addressed through reform of  Openreach’s governance and that at this stage structural separation would be a disproportionate remedy. In reaching that conclusion Ofcom considered eight alternative structures:

8 models of separation









BT and Openreach currently operate under model 5, functional separation with local incentives. Ofcom’s initial paper discusses the merits of moving to model 6 (reformed governance), 7 (legal separation) and 8 (structural separation) as  ways of addressing the problems they identify.

Structural Separation (model 8)

As well as considering the implications for BT, Ofcom looked at international examples of structural separation including Australia, New Zealand and Singapore. However, all of these were largely driven by a different regulatory imperative – that of ensuring that government investment and subsidy for deployment of broadband networks was made into an entity that was not part of the incumbent. As previously discussed on this blog, the Singapore example serves more to highlight the challenges of achieving true separation and its benefits rather than acting as a blue-print.

Whilst Ofcom’s paper doesn’t rule out structural separation in the future, their decision to look at reformed governance and/or legal separation in the first instance is driven by their desire to be proportionate and choose the least intrusive method of regulation. However, the experience of competition regulators is that detailed ongoing behavioural remedies can be more intrusive than one-off structural remedies, and so the question arises as to whether the same view (which of course will require ongoing regulatory oversight by Ofcom) would be reached if looked at by a competition regulator.

I also had some interesting private comments to my last post, one of which suggested that the real question was whether the boundary between Openreach and BT was in the right place, and that it was perhaps better redrawn with Openreach managing passive assets only – something only touched upon by Ofcom in their consideration of the practicalities of separation.

Enhanced Governance Reform (model 6)

Ofcom flag that one of their main concerns is that “Openreach does not have sufficient strategic and operational autonomy to ensure the equal treatment of all downstream customers.

Ofcom go on to suggest that Openreach’s governance would need, at a minimum to be  to be reformed as follows:

“… solutions to the concerns identified would need to embed further specific behaviours by Openreach in a number of areas, including:

  • More independent governance, with a responsibility to serve all customers equally: Creating an Openreach Board with more independent governance within the current model of functional separation.
  • Increasing Openreach’s autonomy over budget and decision-making: This could address our concerns related to decision-making by giving Openreach increased financial autonomy to take strategic decisions on network investment, network maintenance and operational systems. One way of achieving this would be to increase the delegated authority given to the Openreach Chief Executive from the BT Board to make individual decisions on the allocation and use of funds. One outcome of this increased autonomy could be the ability for Openreach to reach co-investment or risk sharing agreements with operators other than BT.
  • Improving Openreach’s approach to consultation with customers: We want to ensure that Openreach listens and takes into account the views of all its customers in making decisions that could impact downstream operators. Specifically, we could establish obligations for Openreach to consult openly with downstream operators on substantial investment and innovation decisions. For example, commitments to transparency when considering new network investments, consideration of any alternative proposals and consultation at an early stage on any favoured proposals. The EAB, or another independent body, would need to check compliance with such obligations. 
  • Enhancing Openreach’s operational capability: Giving Openreach the ability to draw upon dedicated support services could address our concerns over its operational ability to deliver its priorities. This would ensure Openreach has sufficient internal capability to manage both its strategy and manage external supply arrangements. Such changes would have to be weighed up against any potential loss in efficiency or scale benefits. “

Ofcom then observes that these measures may be “insufficient on their own“. This is quite an interesting formulation from Ofcom – if they don’t think they are sufficient, then why raise as an option? Ofcom then go on (in a somewhat tentative way) to suggest that a stronger set of governance reforms would meet their concerns.

Legal separation of Openreach (model 7)

Ofcom then go on to suggest what appears to be their favoured option, the hive-down of the Openreach business to a wholly owned subsidiary within the BT group i.e. legal separation of Openreach, with the retention of economic ownership by BT, and restrictions on the influence and control by BT of Openreach. Ofcom summarise it as follows:

  • “Separate Openreach Board: Openreach would become a wholly owned subsidiary of BT Group, making the relationship between it and BT’s other divisions more transparent. The Openreach Board would be separate of the wider group and hold executive powers of decision-making over Openreach’s activities in the interests of the legally separate Openreach, rather than the wider interests of BT Group.
  • Responsibility to serve all customers equally: An explicit responsibility for Openreach to treat all downstream customers equally might be established through the objects and purposes of the company in its articles of association.
  • Autonomy over investments and decision-making: The new Openreach Board might be given more autonomy over capital investments and the broader use of cash within the business.
  • Ability to raise funds: There are different options for how a wholly owned subsidiary could raise funds. There may also be appropriate ways for BT Group to finance Openreach without directly influencing how the funds are spent. Alternatively, Openreach could raise funds directly from the market or fund network investments through contributions from downstream providers, secured by contract.
  • Statutory accounts: An important aspect of the model is that BT Group shareholders would retain full ownership of Openreach and continue to benefit from any associated profits. As a legally separate subsidiary Openreach would be required to file full statutory accounts, including a separate balance sheet, profit and loss statement, and cash flow. This would improve transparency of cost and asset allocations.”

Whilst Ofcom recognise that this approach creates some implementation challenges it remains to be seen if they have fully appreciated the costs and complexity of this option, which involves many of the downsides of structural separation, but without removing the incentive to discriminate, which means that it will still require ongoing intrusive behavioural regulation.

Posted in Broadband, Corporate governance, Fixed, Government policy, Regulatory action, Telecoms, UK | Tagged , | 2 Comments

Ofcom’s UK digital communications review: BT can keep Openreach (for now…)

On 25 February 2016 Ofcom published its initial conclusions from its strategic review of the UK’s digital communications market. Whilst much of the headline press coverage has focused on BT being able to retain Openreach, provided its governance is reformed, Ofcom’s review goes much wider than the regulation of Openreach and sets the strategic direction for UK telecoms regulation for the next decade.

However, as someone who has seen successive regulators try alternatives including accounting separation, functional separation and now reformed functional separation whilst technology has moved from cellular telephones that could only be said to be mobile if you drove the car carrying them to modern smart-devices what is striking is the persistency of incumbency, and in particular the ‘last mile’ connection. Whilst Ofcom’s proposals go wider than just addressing this bottleneck, the most interventionist regulation is aimed at this problem, which of course tacitly admits that the last strategic review, done just after Ofcom was formed, failed.

The rest of this post explains how Ofcom reached its conclusions.

What is Ofcom trying to achieve?

Legal Duties

Ofcom is of course a statutory body and the Communications Act 2003 sets out Ofcom’s duties, with Ofcom’s primary duties being:

to further the interests of:

(a) …citizens in relation to communications matters; and

(b) …consumers in relevant markets, where appropriate by promoting competition.


The challenge for Ofcom is understanding how to turn this duty into something that allows it on a day to basis to take decisions, all of which involve trade-offs. This is where the vision comes in, as Ofcom can then test each of its decisions and see whether they help or hinder it achieving its vision. Ofcom explains that in 2016 its ten-year vision is that:

  • everyone in the UK will enjoy fast, reliable broadband services. Most consumers and businesses will move from ‘superfast’ to ‘ultrafast’ broadband, based increasingly on competing networks, and the latest mobile phone technologies will be rolled out across the UK’s geography;

  • the UK will move towards a new fibre future, with widespread availability of competing ‘fibre to the premise’ and cable networks to homes and businesses. As more consumers and businesses enjoy a greater choice of networks, competition will drive both innovation and affordable prices;

  • people who do not have a choice of providers, do not enjoy even a basic level of service (whether through social circumstance or simply due to where they live), or find it hard to take advantage of offers in the market, will be protected through effective, targeted intervention; and

  • the UK will be a world leader in the availability and capability of its digital networks.

Areas of strategic focus

Ofcom then explains that it will organise its work into five main areas to achieve its vision, with a final sixth theme of seeking to reduce regulation being applied across everything that Ofcom does.

The five areas are:

  1. securing a wide availability of services;
  2. promoting investment and competition;
  3. delivering a step-change in quality of service;
  4. strengthening Openreach’s independence; and
  5. empowering and protecting consumers.

Each of these areas are then examined by Ofcom, and its analysis of the issues to be addressed and form the basis for Ofcom’s proposals. In Ofcom’s own words they are:

Securing a wide availability of services

“From a UK-wide perspective, the availability of fixed and mobile services is good. Most consumers can now access high broadband speeds at home and in their place of work, as well as mobile voice and data services while on the move.

However, some areas of the UK do not have access to an acceptable level of service. The starting point for any future communications strategy must be to ensure that everyone shares in the benefits of a modern digital society.

The Government’s plan for a right to decent, affordable broadband is central to our availability strategy. We will prioritise supporting plans for a 10Mbit/s broadband Universal Service Obligation (USO) to ensure that all people and small businesses have access to decent broadband speeds. Over time, we expect that the USO will need to evolve to ensure all consumers and businesses benefit as technologies and services improve.

We will also secure wide availability of services by:

  • enabling further investment in fixed networks, especially the transition from superfast to ultrafast broadband services, through competitive mechanisms wherever possible;
  • exploring options for extending mobile coverage. We will seek to place new coverage obligations on companies who win new spectrum licences. The 700MHz band is particularly well suited to providing such coverage
  • supporting the UK Government’s reform of the Electronic Communications Code; and
  • providing consumers and businesses with accurate, comparable and accessible coverage information across communications services so that they can make better choices about their services.”

Promoting investment and competition

“Our strategic objective in relation to fixed networks is to encourage the large scale deployment of new fibre networks over the next decade, driving the widespread availability of competing ultrafast broadband services.
To deliver this we will:

  • make it easier for competing providers to build their own fibre networks, across as much of the UK as is practicable, by providing them with access to Openreach’s network of underground ducts and telegraph poles;
  • price access to BT’s network in ways that encourage providers to build their own networks while protecting consumers from excessive pricing;
  • deregulate where network based competition is effective; and
  • continue to promote competition based on other forms of access to Openreach’s network, where effective network competition does not arise.

In mobile, there is no change to our existing strategy. We want the UK to continue benefiting from competition between four national network providers, and a range of resellers. We will work to ensure that the necessary wireless spectrum is made available. If we see takeovers or mergers leading to fewer, bigger network operators, and consumers are worse off as a result, this could lead us fundamentally to rethink our approach to competition and investment in mobile services.”

Delivering a step-change in quality of service

“Widely available networks and services alone are not enough. Consumers and businesses also need these networks and services to be reliable and of a high quality. While most consumers report that they are satisfied with telecoms services, their expectations of quality are rising. The sector needs to deliver significantly better quality of service than it does today.

Our concerns include Openreach’s performance, but extend beyond it to all providers. For example, not only are we concerned about the volume of faults on Openreach’s copper network and about how quickly Openreach repairs them; but also about the customer service that retail providers offer when something goes wrong.

For Openreach, we intend to:

  • set more demanding minimum standards, extending them to new areas as necessary; and
  • set wholesale pricing controls that strengthen Openreach’s incentives to make long term investments in service quality.

For the wider sector, we will:

  • drive improvements to service quality by making more information accessible to consumers and businesses; and
  • publish an annual Service Quality Report showing how telecoms companies compare. Well-informed consumers who are able to make informed decisions are better able to hold providers to account for the service quality they deliver.

In addition, we intend to work with industry to improve coordination between providers where this is affecting service quality: for example, to reduce missed appointments and solve consumers’ in-home problems. Finally, we will look to introduce automatic compensation for consumers and small businesses when something does go wrong”

Strengthening Openreach’s independence

“BT has a crucial role to play in ensuring that consumers and businesses enjoy good communications services, given its market position and the continued reliance competitors will have on its network.

However, we are concerned that the current model of functional separation fails to remove sufficiently BT’s ability to discriminate against competitors. Therefore risks to competition remain.

Given the concerns identified, continuing the status quo is not an option. We have decided to reform the relationship between Openreach and BT Group to give the former greater independence and autonomy. Under this new structure, Openreach should have:

  • more independent governance structures and processes, with a responsibility to serve all wholesale customers equally;
  • independent technical and operational capabilities;
  • greater autonomy over its budget, and over its strategic and operational decision making; and
  • an ongoing responsibility to consult with all customers in the same way.

One option that might achieve this is structural separation, but we recognise that this would entail significant disruption. We will therefore consider whether a strengthened model of functional separation could deliver the greater independence and autonomy for Openreach that we believe is necessary. If functional separation cannot be strengthened, we reserve the right to take forward structural separation.

We are now developing detailed proposals, which we will discuss with the European Commission later this year.”

Empowering and protecting consumers

“Even when choices are available, people need practical information and tools to take advantage of what the market can offer. This need becomes increasingly important as communications services increase in diversity and complexity.

To help people make informed choices, we will:

  • publish more detailed information, including on: service quality and customer response; fixed and mobile service availability; and broadband speeds;
  • work to introduce a standard cost comparison measure, such as average monthly cost of the core elements of a service over the contract period, so consumers can more easily compare different products;
  • closely monitor the impact of providers’ adherence to the Advertising Standards Authority’s broadband price advertising rules;
  • work with third parties, such as price-comparison websites, to improve information consumers have to hand before they buy; and
  • identify what more can be done for consumers who are not responsive to this information, for example, through stronger triggers to consider other deals when contracts expire.

We will follow up our work on Openreach network switching with proposals to make mobile switching easier. We will also complete our review of switching triple-play services (i.e., phone line, TV and broadband).

Some consumers will find it difficult to engage effectively with the market regardless of the information available them. We will therefore take more direct action to help protect such consumers, for example, by tracking market prices more closely and intervening directly to provide protections for the most vulnerable.

Finally, we will continue to protect consumers when things go wrong, from issues such as nuisance calls to various forms of fraud.”


Posted in Corporate governance, EU, Fixed, Government policy, Mobile, Regulatory action, Telecoms, UK | Tagged , , , | 2 Comments

Singapore decides framework for allocation of 235 MHz of additional spectrum and encourages 4th MNO

On the 18 February 2016, Singapore’s Infocomm Development Agency (IDApublished its decision on the framework for the allocation of an additional 235 MHz of spectrum. This follows their earlier consultations. Key points are set out below:

Two stage process to encourage market entry by new entrant (4th MNO)

The IDA wants to encourage market entry by a fourth mobile network operator (MNO), so has split the auction into two stages. First, a ‘new entrant’ spectrum auction for 60 MHz (comprising 2x 10 MHz in the 700 band, 2 x 10 MHz in the 900 MHz band and 20Mhz of the 2.3 GHz TDD band ) from which the existing MNOs are excluded, followed by a second auction of the remainder of the spectrum to the incumbent MNOs and new entrant (if any). The reserve price for the new entrant spectrum has been lowered from SGD 40 million to SGD 30 million. The process has been designed to limit market entry to only one additional MNO.

New entrant needs to pre-qualify

Any new entrant needs to pre-qualify for the auction. To pre-qualify a bidder must:

  • be an incorporated company;
  • not have rolled out or own any nationwide mobile system or network in Singapore; and
  • not be an associate of any incumbent MNO and/or of another qualified potential new entrant bidder.

The last condition means that any consortia will need to be formed prior to qualification for bidding.

In addition, pre-qualification will also require bidders to demonstrate:

  • their technical capabilities; and
  • financial capacity, including a bank guarantee and performance bond.

No other material regulatory assistance for new entrant

Apart from the spectrum allocation and price, there is no other regulatory assistance for the new entrant. The IDA has decided not to mandate wholesale roaming access for the new entrant, and is not proposing to relax any regulatory obligations.

Auction processes defined

The new entrant auction will be a simple ascending round auction, and the second auction a more complex ‘Clock Plus’ format.

Next steps

The IDA will make available a an information package for potential new entrants which will be available on 3 March. The IDA will issue further auction documents setting out more detail.

Posted in Foreign direct investment, Government policy, Mobile, Singapore, Telecoms | Tagged , | Leave a comment

Governing development finance organisations: measuring development impact

Governance is important for both private and public sector organisations. For development finance organisations (such as IFC, CDC, Africa Development Bank and Asia Development Bank) which are publicly funded and invest in developing countries it is critical. A key part of governance is measuring the development impact that they have through setting goals and measuring the impact of their investments.

The objectives of development finance organisations are often framed at a very broad level of abstraction:

“[IFC’s] goals are to end extreme poverty by 2030 and boost shared prosperity in every developing country.”

“CDC’s mission is to support the building of businesses throughout Africa and South Asia, to create jobs and make a lasting difference to people’s lives in some of the world’s poorest places.”

One of the governance challenges faced by these organisations is understanding how their day to day activities, and in particular their investments, contribute towards the achievement of these objectives. This is in part governed by the setting of goals and measurement of the impact of each investment.

By way of example, the IFC governs its development impact by:

  1. setting goals (IFC Development Goals);
  2. using its Development Outcome Tracking System (DOTS) to measure the development results of investment (and advisory) services, as shown below:










3.  the evaluation of outcomes and impact.

By contrast, CDC (focused on the growth of businesses and the creation of jobs) places appears to place more emphasis on assessing its ability to make development impact at the time of making each investment decision:

“We remain interested in achieving and measuring positive impact across a broader dimension, but the job creation focus ensures we direct capital thoughtfully and prioritise our limited resources behind a mission that inspires us.  We believe job creation is essential in both Africa and South Asia where two thirds of the those of working age are today without formal jobs and where demographic growth will greatly exacerbate this challenge over the next decade.  At an individual level, employment has a transformative effect on the life of an individual and his/her family and dependents.

We have therefore created an ex ante tool that turns theory into practice and ensures we invest our capital towards our objective of creating jobs, especially in the more challenging places. This new methodology, designed with the help of our shareholder and academics and economists, is embedded in our investment processes and we use it to assess every investment opportunity at Investment Committee for its potential to create the impact that we are seeking.”

Whilst in reality the approaches adopted by the various organisations are not so different, it would appear that the three stage governance process adopted by the IFC across the life-cycle of investments provides greater opportunity for scrutiny, reflection and learning at all stages of the investment process than that adopted by CDC.







Posted in ASEAN, Brunei, Cambodia, Foreign direct investment, Government policy, India, Indonesia, Laos, Malaysia, Myanmar, Philippines, Thailand, Vietnam | Tagged , , | Leave a comment

Hong Kong privacy regulator recognises ISO/IEC 27018

This guest post is written by @matthew1hunter and @aisling1odwyer.

Regular readers of this blog will know we have been tracking the impact of ISO/IEC 27018:2014 –Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018). We see this as the go-to standard for customers of public cloud computing services.  In a significant move, the Hong Kong Privacy Commissioner for Personal Data (Privacy Commissioner) has recently recognised the value of ISO/IEC 27018 in its revised Cloud Computing Information Leaflet (Information Leaflet).

The Information Leaflet is a helpful piece of guidance which sets out the practical steps cloud customers should take to ensure they comply with the Hong Kong privacy laws when using cloud computing services.  In the leaflet the Privacy Commissioner recognises ISO/IEC 27018 as “a comprehensive reference that has met the need to assist the selection of cloud providers by data users”.

Recap on ISO/IEC 27018

We previously covered the publication ISO/IEC 27018, and also discussed how ISO/IEC 27018 would be a useful tool for customers looking to ensure compliance with privacy laws in Singapore and other countries.

We predicted regulators would begin to recognise and refer to ISO/IEC 27018 in setting privacy standards for customers of cloud computing services. Hong Kong provides the most recent example of this.  We also predicted the adoption of ISO/IEC 27018 by market-leading cloud service providers (CSPs).

Why Hong Kong and its Privacy Commissioner matter

Hong Kong was one of the early adopters of privacy laws in Asia, and has an established and well-respected privacy regime. Its Personal Data (Privacy) Ordinance (PDPO) has been in force since December 1996 and the independent Privacy Commissioner has played an active role in promoting and maintaining high privacy standards since then.

It is very significant that that Privacy Commissioner in Hong Kong has recognised the benefits of ISO/IEC 27018 in its Information Leaflet.  This endorsement sets the stage for wider recognition of ISO/IEC 27018 as the go-to international standard for protecting personal information in the cloud.

When regulators accept ISO/IEC 27018 as the global gold standard for CSPs, this makes the lives of customers, CSPs and regulators easier.  It is easier for customers and CSPs to ensure compliance with one international standard that facilitates compliance with most national-level privacy laws, rather than starting with the each of the national-level privacy laws.

Does ISO/IEC 27018 help customers in Hong Kong?

Hong Kong’s privacy laws, set out in the PDPO, place obligations on organisations in relation to the collection, processing, use and deletion of data. Organisations that wish to use cloud computing services need to assess how they can implement such services and continue to comply with the PDPO, and in particular, its six data protection principles.

The revised Information Leaflet alerts customers to their obligations under the PDPO and highlights three overarching points cloud customers should have in mind when choosing a CSP. These points are:

  1. Rapid transborder data flow: CSPs may have data centres in multiple jurisdictions and customers need to know their data will have the same level of protection wherever it is stored.
  2. Loose outsourcing arrangements: Customers need to know that any CSP sub-contractors are subject to the same standards as their CSP, and that there are legally enforceable contracts in place between the CSP and its sub-contractors.
  3. Standard services and contracts: Customers need to carefully evaluate whether their specific security and personal data privacy protection needs are met by any standard contract offered.

It is helpful then to note that the controls introduced by ISO/IEC 27018 help customers to address these points.  Taking each in turn:

  1.  CSPs are required to disclose and document where personal data will be processed and the controls in ISO/IEC 27018 are applicable no matter where the personal data is located;
  2. ISO/IEC 27018 requires CSPs to be transparent about their use of sub-contractors and enter into written agreements with any sub-contractors, preventing weak, informal outsourcing arrangements; and
  3. ISO/IEC 27018 imposes strict security standards that CSPs must adhere to, which are applicable even where the CSP and the customer are contracting on standard terms.

In summary: Hong Kong’s privacy laws impose a range of obligations on customers, some of which apply to the customer’s use of cloud computing services.  ISO/IEC 27018 is a helpful tool for customers to rely on to meet those obligations.  If a customer’s CSP commits to comply with ISO/IEC 27018, this should reassure the customer that the CPS’s solution will help the customer to comply with the relevant obligations under Hong Kong’s privacy laws.


The recognition of ISO/IEC 27018 by the Hong Kong regulator shows that the standard is a robust tool, capable of addressing important questions customers will have to consider when choosing a CSP.

Hong Kong now joins privacy regulators in Australia, Belgium, Canada, Germany and Slovenia (among others) who have all recognised the benefit ISO/IEC 27018 offers as a global standard for CSPs.  We anticipate that more CSPs will commit to ISO/IEC 27018 and also that more customers will look for CSPs that commit to the standard (e.g. by adding a requirement in their RFPs for CSPs to be compliant with ISO/IEC 27018).

Posted in Cloud computing, Outsourcing, Regulatory action, Services, Software, Technology | Tagged | Leave a comment

Global IT tariffs eliminated? WTO wakes up?

Used under a creative commons licence granted by Alejandro Linares Garcia

Used under a creative commons licence granted by Alejandro Linares Garcia

“Mr. Praline: Look, matey, I know a dead parrot when I see one, and I’m looking at one right now.

Owner: No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue, idn’it, ay? Beautiful plumage!”

– Monty Python

Based on a press release from the World Trade Organisation, and tweets from its Director-General Roberto Azevedo it would appear that the WTO is about to defy persistent reports of its death and come back to life with its first agreement on tariff elimination in  eighteen years.

Covering a wide range of technology and IT products including new generation semi-conductors, GPS navigation equipment and medical equipment, including magnetic resonance imaging products and ultra-sonic scanning apparatus, the proposed agreement will lead to the elimination of import tariffs in a uniform and non-discriminatory manner – the [no WTO member is treated worse than the] ‘most-favoured nation’ principle. The WTO estimates that the value of trade covered by the prospective agreement amounts to USD 1 trillion.

In recent decades, the process required to reach agreement at the WTO has resulted in deadlock and an increased focus on regional trade negotiations such as TPP, in part because these are perceived as being easier to reach agreement by virtue of involving a smaller group of participants amongst whom a common goal can be agreed. Further, whilst students of David Ricardo still extol the virtues of free-trade, in recent years the WTO has come under both attack from populist anti-globalisation movements and domestic anti-trade liberalisation political pressure in many countries against trade liberalisation.

Against this backdrop, why does it now seem likely that the WTO will reach an agreement including the world’s largest trading blocs (US, China and EU) as well as much of SE Asia?The simple answer to this question is that everyone has something to gain. The reason for this is the global spread of technology – almost every country has technology exporters of some sort (bearing in mind that many manufacturing facilities for MNCs are in low wage economies) and/or see clear benefits in importing technology.

It is welcome to see that the global community still sees the benefit of global trade agreements – the next big question is whether this will lead to a wider reinvigoration of the WTO as means of advancing trade negotiations, as opposed to regional negotiations like the TPP?






Posted in ASEAN, China, EU, Government policy, Hardware, Technology, US | Tagged , | Leave a comment

Good news from Korea for FSI cloud customers and CSPs

A guest post by @matthew1hunter and @danieljung88

This week the Korean financial services regulator announced regulatory changes that will make it easier for financial services institutions (FSIs) in Korea to use cloud computing services.  First, FSIs will now be allowed to engage cloud service providers (CSPs) whose data hosting infrastructure is located overseas.  Second, FSIs will no longer need approval from the regulator to use cloud computing services.  Third, FSIs will no longer need to sign the regulator’s standard form contract with CSPs, so the parties can agree their own contract. 

In this post, we look at what has changed, how do the changes compare with regulations in other countries and why these changes are good news.  You should also note that this is the second of two recent steps forward for cloud computing in Korea; in April this year we posted a report on Korea’s new (and the world’s first) cloud-specific law.

What has changed?

The Financial Services Commission (FSC) and the Financial Services Supervisor (FSS) announced in a joint press release (on the 9 June 2015) revisions to the Regulation on Financial Institutions’ Outsourcing of Data Processing Business & IT Facilities (dated June 2013) (the Regulation).  The FSC stated that with these changes it “intends to reduce financial institutions’ burden relating with outsourcing of data processing”.

There are four changes:

  1. FSIs will be allowed to offshore data processing to a professional IT company whose infrastructure is located outside of Korea.
  1. FSIs will no longer be required to obtain the approval from the FSC in order to outsource IT facilities.
  1. FSIs will be allowed to outsource their data processing without notifying all the information to the FSS prior to outsourcing data processing.  Instead they can report the outsourcing after the event to the FSS.  FSIs will only be required to notify an outsourcing in advance to the FSS if customers’ financial transaction information will be outsourced.
  1. FSIs will no longer be required to sign the standard form contract when contracting with CSPs, as long as the contract includes the regulatory requirements (e.g. obligations to permit the regulator to supervise and inspect the CSP).

How do the Korean regulations compare now to those in other countries?

These changes bring the Korean regime more into line with the regimes in many other countries in the Asia-Pacific region, including Singapore, New Zealand, Australia, Hong Kong and Japan.

For more information on the regulations that impact the use of cloud computing by FSIs in the Asia-Pacific region, see our report, published with the Asia Cloud Computing Association (the ACCA Report).

These changes also bring the Korean regime into line with the recommendations made in the ACCA Report.  The report sets out recommendations to regulators.  The aim of the recommendations is to make it easier for FSIs to use cloud computing services.  The ACCA Report states that regulators should: allow the use by FSIs of offshore CSPs; not require FSIs to obtain approval for the use of cloud computing services; and not be prescriptive about the content of contracts between FSIs and CSPs.  Korea now scores well against these recommendations and the report will be updated in the next version.

Why are these changes good news for FSIs and CSPs?

  • These changes will make it easier for FSIs in Korea to use cloud computing services.  FSIs around the world are benefiting from cloud computing services.  The services offer many benefits to FSIs, including security, agility, reliability, scalability and (not to forget) potential cost savings. Korean FSIs should and now will be able to benefit in the same way as FSIs in other countries.
  • These changes will help domestic FSIs in Korea to compete more evenly with international FSIs. Before now, international FSIs could transfer data to their other locations around the world for processing.  Domestic FSIs were unable to enjoy the benefits of offshore service providers.  Now all FSIs can transfer data offshore, to other branches (for international FSIs) and to IT service providers, including CSPs.
  • These changes should make it easier in the future for other cloud customers in Korea (not just FSIs) to use cloud computing services. The FSI sector is generally recognized as a heavy user of IT services and this activity is heavily regulated.  Potential cloud customers in other sectors may look towards the FSI sector for a lead.  The more the FSI sector opens up to the use of cloud, the more other sectors are likely to follow.
  • These changes may influence other regulators in the region to take similar approaches. Regulators talk, and they watch one another.  There has been plenty of discussion about increased rules on data sovereignty.   In these discussions it is helpful to be able to point to regulators, like the FSC in Korea, that allow international transfers of data.  The focus should not be on the location of the data, but always on whether or not the data is adequately protected.  The more markets that follow this lead, the better.
  • The changes will increase and improve competition in the Korean CSP market.  International CSPs will be able to compete to provide services to FSI cloud customers in Korea, where they were previously unable to.  CSPs who were reluctant to enter into the Korean market, may now be persuaded to do so.  We believe that increased competition is healthy for customers and between competitors.

We believe this is a good step forward for the cloud computing market in Korea.  We hope that more regulators will follow suit.  We will keep you posted on further developments.

Posted in Cloud computing, Korea | Tagged | Leave a comment

3 new data privacy tools from Singapore’s data regulator

Singapore’s Personal Data Protection Commission (PDPC) has been busy. It has just published a number of new resources to help businesses comply with the Personal Data Protection Act. Here are the three we have identified as having the biggest practical application for companies in Singapore.

1. Sample clauses and guidance for marketing consents.

For companies collecting data for marketing purposes, these standard clauses will help. They cover a broad range of scenarios, including consent in the context of membership applications and lucky draws, and language for the withdrawal of consent. The PDPC has also published some guidance to support the sample clauses.

2. Guide to securing data “in electronic medium”.

For organisations which store data in an electronic format (so, pretty much everyone), these guidelines list certain specific IT security measures that can be implemented to enhance security, split into “good practice” and “enhanced practice”.

3. Guide to managing data breaches.

The PDPC has published a step-by-step guide to managing data breach situations, from development of a data breach management plan through to containing the breach, assessing the risk and impact, reporting the incident (including a requirement that the PDPC should be notified of breaches, particularly those involving sensitive data) and preventing future breaches.

Singapore’s business-friendly approach

Of course, none of the tools above represent an automatic route to compliance and the required approach will differ from one organisation to the next. Nonetheless, the growing pool of resources from the PDPC covers a broad range of practical measures that organisations should now be implementing. It also underlines the PDPC’s strategy of being a business-friendly data protection regulator, in line with Singapore’s mission of becoming the world’s first smart city and the data processing hub for South-East Asia.

Posted in Telecoms | Leave a comment

Korea leads the world with cloud law encouraging cloud use

On 3rd March 2015, Korea passed the world’s first cloud-specific law, with the stated aim of driving the adoption of cloud computing in Korea. But what are the practical implications for cloud customers and cloud services providers in Korea?

Data centre (wikicommons)


This guest post is written by Daniel Jung and @matthew1hunter.

When does the Korean Cloud Act come into force?

On 3 March 2015, the Korean National Assembly passed the Act on the Development of Cloud Computing and Protection of Users (Korean Cloud Act).  The bill has been under consideration since October 2013.  The final version of the Korean Cloud Act is available here (currently only available in Korean).

The Korean Cloud Act comes into force on 28th September 2015.  Before the Korean Cloud Act comes into force, the Ministry of Science, ICT and Future Planning (Ministry) will establish additional rules for cloud services (as explained below).

What will the Korean Cloud Act do?

The good news for cloud customers and cloud services providers alike is that the Cloud Act aims to promote the cloud market in Korea.

The Korean government sees cloud computing market as a vital industry for future IT development and intends to build a solid foundation to raise Korea’s global competitiveness in the industry.

The Korean Cloud Act aims to do this by:

  1. boosting investment and support in the cloud market, in particular by the government;
  2. permitting (and encouraging) the use of cloud services (including public cloud services) by public institutions; and
  3. placing appropriate safeguards on cloud services providers (CSPs).

Taking these three points in turn:

1. Korea is going to invest time and effort in enhancing the cloud market.

The Korean government is keen to boost its investment in the cloud market.  In this respect, under the Korean Cloud Act, the Ministry is to establish plans (and update them every three years) to enhance the cloud market.  This will include: setting out plans for the development of the cloud computing market; cloud computing related research and expert training; financial and other support for local SMEs providing cloud services and ancillary services, establishing pilot projects, tax incentives and collaboration with other countries.

2. Public institutions in Korea can and should use cloud services.

The Korean Cloud Act encourages public institutions to implement cloud services as a priority, in order to benefit from cost efficiency, improving productivity and industrial competitiveness.  In order to assist with this encouragement, the Korean Cloud Act permits the use of cloud services by public institutions.

 3. The bar for protecting customers’ information has been raised – and cloud customers should expect their CSPs to comply.

Security and privacy issues have always been perceived as being the main roadblocks to the use of cloud services.  To address this the Korean Cloud Act imposes certain obligations on CSPs to try to remove the roadblocks and drive the use of cloud services in a way that addresses security and privacy concerns. In practical terms, CSPs have some new obligations to comply with, and cloud customers will want to look for CSPs who can meet these requirements. In particular, CSPs should note the following important points (and consider their compliance levels):

  •  CSPs must report information leakage to their customers and the Minister.  An investigation may then follow.
  • CSPs must not provide their customers’ information to a third party or use it for purposes other than the designated purpose without the consent.
  • CSPs must return or delete the relevant customer’s information upon termination of the relevant cloud contract.
  • If a CSP hosts a customer’s information outside of Korea, the customer may request the CSP to disclose the location.
  • If a customer incurs losses due to the deliberate or negligent acts of a CSP which violate the Cloud Act, the customer may bring a claim for compensation against the CSP.  The onus will be on the CSP to prove that the CSP’s act was not deliberate or negligent.
  • The Minister will establish additional obligations that cover the quality/capability of cloud services, appropriate service levels and standards for information protection.  It is anticipated that a cloud services certification system will be implemented.
  • A standardised contract for use when providing cloud services is also anticipated.

The Korean Cloud Act has teeth

Any person who uses or discloses a customer’s information to a third party without consent shall be punished by imprisonment for not more than 5 years or with a fine not exceeding KRW 50 million (about USD 46,500).  Slightly reduced levels of fines will apply to breaches of the other obligations listed above.

Areas not currently addressed by the Korean Cloud Act

The Korean Cloud Act doesn’t deal with data classification.  One of the perceived hurdles, in particular for public institutions, to using cloud services, is the ability to determine what categories of data can be hosted by CSPs.  There are different ways of categorizing data and clear guidelines on the subject help to overcome this hurdle.  This is an area that may be considered in the future. Nonetheless, the clear endorsement of cloud services in the Korean Cloud Act will likely be sufficient evidence for most that the Ministry considers that cloud is appropriate for the vast majority of data held by public institutions.

The Korean Cloud Act doesn’t address the limits imposed by other (quite strict) regulations in Korea.  For example, the financial services sector is subject to strict regulations that are potentially delaying the adoption of cloud services in the sector. CSPs and cloud customers alike will be hoping that this clear endorsement of cloud will drive regulatory change in other sectors.

The Korean Cloud Act states that the Personal Information Protection Act (PIPA) will continue to apply in regard to personal data.  However, as the Ministry develops further plans and regulations, the obligations in the Cloud Act will sit alongside those in the PIPA and will likely add a layer of additional requirements (although the focus of these additional obligations will be CSPs).

The Korean Cloud Act doesn’t, as yet, point to any particular international standards.  In other countries, authorities point to international standards (e.g. ISO/IEC 27001 and ISO/IEC 27018) as appropriate measures to assess CSPs i.e. does the CSP comply with these standards.  It’s interesting to note that the controls in the new international standard for public cloud services, ISO/IEC 27018, appears to meet many of the new requirements included in the Cloud Act (and goes further than many of them), so CSPs who comply with ISO/IEC 27018 will not have any trouble complying with the new Cloud Act requirements.

What next?  

CSPs should consider their levels of compliance and cloud customers in Korea should, as a matter of good practice whenever they procure or use cloud services, ask their CSP how their solution complies with the Korean Cloud Act. Reputable CSPs should have no problems providing a satisfactory response to customer questions about the Korean Cloud Act.

In addition, CSPs and customers alike should wait for further updates from the Ministry on the plans to support the cloud market and the plans for further obligations/requirements in relation to cloud services.

Posted in Cloud computing, Government policy, Korea, Outsourcing, Regulatory action, Services, Technology | Tagged , , | Leave a comment

ISO 27018 – the international standard for protecting PII in the public cloud – Where are we now?

Since its release in August 2014, ISO 27018 is becoming well established as the “go to” standard to help cloud customers to comply with their privacy obligations when using public cloud services.  Privacy regulators recognise and refer to the new standard.  Cloud customers are using it in their RFP requirements and in their assessments of CSPs.  And CSPs themselves can and should adopt and commit to the new standard. 

A guest post by Matthew Hunter (@matthew1hunter) and Daniel Jung.

A reminder

We reported last year about the publication of this new standard: “ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” (“ISO 27018”).

In a subsequent post, we discussed how ISO 27018 helps cloud customers in Singapore to comply with Singapore’s Personal Data Protection Act (PDPA).  We concluded that if a cloud customer engages a cloud services provider (CSP) that complies with ISO 27018 (e.g. adopts and contractually commits to ISO 27018), then the cloud customer can be confident that the CSP’s solution will help the cloud customer to comply with its key legal obligations under the PDPA relevant to its use of cloud services.  We carried out the same research for other countries and the same conclusion applies: Cloud customers who use CSPs that comply with ISO 27018 will be better able to comply with relevant privacy law obligations in Australia, Hong Kong, Japan Korea, Malaysia, New Zealand and European countries, including the France, Germany, Spain and the UK.

In this post we will look at the latest developments in the market in relation to ISO 27018 and at how ISO 27018 is becoming the “go to” standard to help cloud customers to comply with their privacy obligations.  We will also provide pointers for cloud customers, CSPs and regulators on how to benefit from ISO 27018.

The latest ISO 27018 developments


Since August 2014, we have seen regulators around the world recognise and refer to ISO 27018 (and this should come as no surprise as regulators often refer to ISO standards (e.g. ISO 27001).

  • In Australia, the OAIC referred to ISO 27018 in its guide to securing personal information (January, 2015).
  • In Belgium, the privacy commission referred to ISO 27018 in its Guidance on Security & Privacy in the Cloud (December, 2014).
  • In Canada, the OIPC posted on its blog that ISO 27018 allows access the benefits of the cloud whilst keeping control of data (March, 2015).
  • In Germany, a state regulator’s cloud guidance highlights the use of ISO 27018 for cloud (October, 2014).
  • In Slovenia, the Information Commissioner indicated that ISO 27018 is consistent with its requirements and should help to raise the lack of confidence in cloud (January, 2015).

These regulators and others are continuing to consider the use of ISO 27018.  The Belgian authority is also working on an analysis of ISO 27018 to be included in a global recommendation to customers using cloud.  The PDPC in Singapore is also considering the use of ISO 27018.

Cloud customers

Customers in the public and the private sector are looking at including ISO 27018 in their RFP requirements and in their procurement contracts, in the same way they have done with other ISO standards.  These are the kinds of discussions we have been having with, and recommendations we are making to, our clients.

Cloud customers have been, in the past, slow to adopt cloud services.  In part, this has been because of regulatory concerns.  But ISO 27018 has provided cloud customers with a convenient solution to address privacy regulations when using public cloud services.  We have seen that cloud customers who use CSPs that comply with ISO 27081 will be better able to comply with relevant privacy law obligations in many jurisdictions.

Cloud services providers

CSPs can now adopt and commit to ISO 27018.

Earlier this year Microsoft, one of the leading CSPs in the market, became the first CSP to adopt and commit to ISO 27018.  An independent audit confirmed its services incorporate all of the ISO 27018 controls and the ISO 27018 controls will become part of Microsoft’s contractual commitment to its customers.  We expect to see other CSPs follow suit.

No standalone certification is available as yet for ISO 27018.  However, compliance with ISO 27018 is demonstrated through an ISO 27001 certification that incorporates all of the controls from ISO 27018.  By going through this kind of assessment process, CSPs (and their ultimately their customers) can be certain of their ISO 27018 compliance.  To remain compliant, CSPs must undergo yearly independent reviews.  This is what the likes of Microsoft will do.

The more regulators recognise and refer to ISO 27018 and the more customers require compliance with ISO 27018, the more CSPs will need to adopt and commit to ISO 27018.  Like other ISO standards before it, ISO 27018 will become the norm.

What next for ISO 27018?

Regulators are adopting ISO 27018, customers are requiring compliance with ISO 27018 and CSPs are committing to ISO 27018 compliance.  ISO 27018 is already becoming the norm (just like other ISO standards).

We expect this to continue.  The adoption of cloud services is increasing across all sectors: financial services, retail, energy, logistics, manufacturers, travel and all kinds of SMEs.  In the public sector governments have pushed “public cloud first” style policies in the US, Europe, Australia and Singapore.  It is in the interest of governments to allow cloud services to be adopted in the public and private sectors.  The benefits of cloud services are clear.  But at the same time the compliance challenge will not disappear.  The regulation of data is on the rise (and rightly so).  Data should be regulated; it is a valuable and sensitive asset.  This is why ISO 27018 is proving helpful; customers can benefit from cloud services but at the same time ensure compliance with privacy regulations.

Posted in ASEAN, Cloud computing, Outsourcing, Services, Software | Tagged , | 2 Comments